CVE-2026-55892
Undergoing Analysis Undergoing Analysis - In Progress
Stack Out-of-Bounds Write in Vim Text Editor

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55892
EUVD
EUVD-2026-39451
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vim vim 9.2.0662
vim vim to 9.2.0662 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55892 is a stack out-of-bounds write vulnerability in the Vim text editor versions prior to 9.2.0662. It occurs in the dump_prefixes() function within src/spell.c, which iteratively walks a spell-file prefix trie using a depth counter. This counter is not checked against the fixed size of the stack arrays it indexes (prefix[], arridx[], curi[]), each limited to 254 elements (MAXWLEN).

A specially crafted .spl file can exploit this by forcing the depth counter beyond the array limits, causing writes past the end of these arrays. This corrupts the call stack and crashes the editor. The vulnerability is triggered when a user enables spell checking and dumps the word list, for example via the :spelldump command.

The issue can be exploited by delivering a malicious spell file through repositories or archives that Vim loads based on spelllang, spellfile, or runtimepath settings. The vulnerability was fixed in Vim patch version 9.2.0662 by limiting the depth counter to prevent out-of-bounds writes.

Impact Analysis

This vulnerability can cause the Vim editor to crash due to stack corruption when processing a maliciously crafted spell file. The impact is primarily on availability, as the editor becomes unstable and unusable during the exploit.

The attack requires local access and user interaction, such as opening or dumping a word list with a malicious .spl file. There is no impact on confidentiality or integrity, but the denial of service caused by the crash can disrupt workflows.

Detection Guidance

This vulnerability is triggered when a user enables spell checking in Vim and performs a word list dump using the :spelldump command or spelling completion. Detection involves checking if Vim is running a vulnerable version prior to 9.2.0662 and if any maliciously crafted .spl files are loaded.

To detect exploitation attempts or presence of the vulnerability, you can monitor for crashes of the Vim editor during spell checking or word list dumping operations.

Suggested command to test if your Vim is vulnerable: open Vim and run the command :spelldump. If Vim crashes or behaves unexpectedly, it may be vulnerable or exposed to crafted .spl files.

Additionally, verify the Vim version installed by running: vim --version. Versions prior to 9.2.0662 are vulnerable.

Mitigation Strategies

The primary mitigation step is to update Vim to version 9.2.0662 or later, where the vulnerability has been fixed.

Avoid loading or using untrusted or maliciously crafted .spl spell files, especially those obtained from unverified repositories or archives.

Limit user interaction with potentially malicious spell files by restricting access to spell checking features or disabling spell file dumping commands until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart